File name:

ce2373eb00e91bcf491c51c00c7e99c7de21127189be5571bf187b60c2675b85

Full analysis: https://app.any.run/tasks/a4b71e8d-89de-4f0a-98e0-05a5e601fa5d
Verdict: Malicious activity
Analysis date: November 05, 2024, 19:29:53
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
netreactor
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

8C381DBFDBA2E8586FF5A96066588F90

SHA1:

84B00D799E261BF2237FCD20606608D1CCE4F2F1

SHA256:

CE2373EB00E91BCF491C51C00C7E99C7DE21127189BE5571BF187B60C2675B85

SSDEEP:

24576:iLnTKqndIQtrmaEDpr9JhE49yvaPVgVCdxJX+3P+XWLmYsk4NXoXyh1Zw6:iLnemIQtrmaEDpr9JhE49yvaPVgVCdD0

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • ce2373eb00e91bcf491c51c00c7e99c7de21127189be5571bf187b60c2675b85.exe (PID: 6664)

    • Starts a Microsoft application from unusual location

      • un713937.exe (PID: 6256)
      • ce2373eb00e91bcf491c51c00c7e99c7de21127189be5571bf187b60c2675b85.exe (PID: 6664)

    • Executes application which crashes

      • pro5192.exe (PID: 512)

    • Executable content was dropped or overwritten

      • ce2373eb00e91bcf491c51c00c7e99c7de21127189be5571bf187b60c2675b85.exe (PID: 6664)
      • un713937.exe (PID: 6256)

    • Connects to unusual port

      • qu4966.exe (PID: 6424)

  • INFO

    • .NET Reactor protector has been detected

      • qu4966.exe (PID: 6424)

    • Create files in a temporary directory

      • ce2373eb00e91bcf491c51c00c7e99c7de21127189be5571bf187b60c2675b85.exe (PID: 6664)
      • un713937.exe (PID: 6256)

    • Checks supported languages

      • ce2373eb00e91bcf491c51c00c7e99c7de21127189be5571bf187b60c2675b85.exe (PID: 6664)
      • un713937.exe (PID: 6256)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2022:05:24 22:49:06+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.13
CodeSize: 25600
InitializedDataSize: 647680
UninitializedDataSize: -
EntryPoint: 0x6a60
OSVersion: 10
ImageVersion: 10
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 11.0.17763.1
ProductVersionNumber: 11.0.17763.1
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Microsoft Corporation
FileDescription: Win32 Cabinet Self-Extractor
FileVersion: 11.00.17763.1 (WinBuild.160101.0800)
InternalName: Wextract
LegalCopyright: © Microsoft Corporation. All rights reserved.
OriginalFileName: WEXTRACT.EXE .MUI
ProductName: Internet Explorer
ProductVersion: 11.00.17763.1
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
129
Monitored processes
5
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start ce2373eb00e91bcf491c51c00c7e99c7de21127189be5571bf187b60c2675b85.exe un713937.exe pro5192.exe werfault.exe THREAT qu4966.exe

Process information

PID
CMD
Path
Indicators
Parent process
512C:\Users\admin\AppData\Local\Temp\IXP001.TMP\pro5192.exeC:\Users\admin\AppData\Local\Temp\IXP001.TMP\pro5192.exe
un713937.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221225477
Modules
Images
c:\users\admin\appdata\local\temp\ixp001.tmp\pro5192.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
6256C:\Users\admin\AppData\Local\Temp\IXP000.TMP\un713937.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\un713937.exe
ce2373eb00e91bcf491c51c00c7e99c7de21127189be5571bf187b60c2675b85.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Win32 Cabinet Self-Extractor
Version:
11.00.17763.1 (WinBuild.160101.0800)
Modules
Images
c:\users\admin\appdata\local\temp\ixp000.tmp\un713937.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
6424C:\Users\admin\AppData\Local\Temp\IXP001.TMP\qu4966.exeC:\Users\admin\AppData\Local\Temp\IXP001.TMP\qu4966.exe
un713937.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\local\temp\ixp001.tmp\qu4966.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
6664"C:\Users\admin\Desktop\ce2373eb00e91bcf491c51c00c7e99c7de21127189be5571bf187b60c2675b85.exe" C:\Users\admin\Desktop\ce2373eb00e91bcf491c51c00c7e99c7de21127189be5571bf187b60c2675b85.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Win32 Cabinet Self-Extractor
Version:
11.00.17763.1 (WinBuild.160101.0800)
Modules
Images
c:\users\admin\desktop\ce2373eb00e91bcf491c51c00c7e99c7de21127189be5571bf187b60c2675b85.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
6896C:\WINDOWS\SysWOW64\WerFault.exe -u -p 512 -s 1152C:\Windows\SysWOW64\WerFault.exe
pro5192.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
Total events
7 629
Read events
7 629
Write events
0
Delete events
0

Modification events

No data
Executable files
4
Suspicious files
1
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
6896WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_pro5192.exe_a86af83e5291854263d6e9d53391accc6c9aef92_990df3ff_a4c12046-a47d-436f-b5c3-fbc35bba7b8b\Report.wer
MD5:
SHA256:
6896WerFault.exeC:\Users\admin\AppData\Local\CrashDumps\pro5192.exe.512.dmp
MD5:
SHA256:
6896WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERD721.tmp.xmlxml
MD5:C25DC17D90DEDDD5AB0A44428BB2CEB4
SHA256:D4A630ACDE0C1BE09FBCCDA6AF2606F1199FE5C5C2A3E6D72F1EE32E19F44434
6664ce2373eb00e91bcf491c51c00c7e99c7de21127189be5571bf187b60c2675b85.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\si724138.exeexecutable
MD5:3AF8F34ADA346BF014A36D396DAE0D41
SHA256:FA01016FC9C3E38E5B614733FD1432BBE0AF0F4B1CA9F4D4AB50D18CE8BF66A3
6664ce2373eb00e91bcf491c51c00c7e99c7de21127189be5571bf187b60c2675b85.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\un713937.exeexecutable
MD5:27E755C8387C84C05EB0EE2728C92568
SHA256:5DFB60F0BB10BD310CC0BFFD1405E7DDC99B837A48F1D171C1F9218FD1CD6FAF
6256un713937.exeC:\Users\admin\AppData\Local\Temp\IXP001.TMP\pro5192.exeexecutable
MD5:3EE35D829259498F8BF5D3286F0AB83D
SHA256:705B5DB1F57C96E6411E4BFAC547F1F998C5DAC5D7BB5DCD5B5AB39CCE84B3B9
6896WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERD6E1.tmp.WERInternalMetadata.xmlxml
MD5:97B1917489A88F67A21F758721CC5553
SHA256:079A64844D7CF5BE0DB60124407B9B71ABAF8C18229177F8A6AFDA2A3B97721B
6256un713937.exeC:\Users\admin\AppData\Local\Temp\IXP001.TMP\qu4966.exeexecutable
MD5:72A33293FDEDE87A931961A0383C542B
SHA256:9C8A2670AF254EA852AADB14BA2DCA4A5841EFD5FA1565883F0D357489357DD3
6896WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERD579.tmp.dmpdmp
MD5:1FF0D652C3BB9F57D1C0AD97458D5DBD
SHA256:02B5AE4C4D1118129600C1997FECED6D829B4CE119F0BCEB656512337D08867A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
34
DNS requests
9
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5488
MoUsoCoreWorker.exe
GET
200
23.32.185.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1588
RUXIMICS.exe
GET
200
2.19.126.97:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6944
svchost.exe
GET
200
23.32.185.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5488
MoUsoCoreWorker.exe
GET
200
2.19.126.97:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6944
svchost.exe
GET
200
2.19.126.97:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1588
RUXIMICS.exe
GET
200
23.32.185.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
6944
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1588
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5488
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2.23.209.177:443
www.bing.com
Akamai International B.V.
GB
whitelisted
2.23.209.176:443
www.bing.com
Akamai International B.V.
GB
whitelisted
4
System
192.168.100.255:138
whitelisted
5488
MoUsoCoreWorker.exe
2.19.126.97:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
6944
svchost.exe
2.19.126.97:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1588
RUXIMICS.exe
2.19.126.97:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 40.127.240.158
  • 4.231.128.59
whitelisted
www.bing.com
  • 2.23.209.177
  • 2.23.209.176
  • 2.23.209.187
  • 2.23.209.150
  • 2.23.209.148
  • 2.23.209.179
  • 2.23.209.149
  • 2.23.209.182
  • 2.23.209.185
whitelisted
google.com
  • 142.250.186.110
whitelisted
crl.microsoft.com
  • 2.19.126.97
  • 2.19.126.87
whitelisted
www.microsoft.com
  • 23.32.185.131
whitelisted
watson.events.data.microsoft.com
  • 20.189.173.22
whitelisted
self.events.data.microsoft.com
  • 104.46.162.227
whitelisted

Threats

PID
Process
Class
Message
6424
qu4966.exe
Potentially Bad Traffic
ET INFO Microsoft net.tcp Connection Initialization Activity
6424
qu4966.exe
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 30
6424
qu4966.exe
Potentially Bad Traffic
ET INFO Microsoft net.tcp Connection Initialization Activity
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
ce2373eb00e91bcf491c51c00c7e99c7de21127189be5571bf187b60c2675b85